{
	"id": "f8485150-ca0d-4d05-b181-7a0570c955c0",
	"created_at": "2026-04-06T00:13:19.029496Z",
	"updated_at": "2026-04-10T03:21:17.96165Z",
	"deleted_at": null,
	"sha1_hash": "0d113fcd85711233e2b30c9d683a233cb2215c75",
	"title": "Schroedinger’s Pet(ya)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1157147,
	"plain_text": "Schroedinger’s Pet(ya)\r\nBy GReAT\r\nPublished: 2017-06-27 · Archived: 2026-04-05 16:11:43 UTC\r\nUPDATE June 28th, 2017: After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we\r\nhave thought that the threat actor cannot decrypt victims’ disk, even if a payment was made. It appears this malware\r\ncampaign was designed as a wiper pretending to be ransomware. Read more: ExPetr/Petya/NotPetya is a Wiper, Not\r\nRansomware\r\nEarlier today (June 27th), we received reports about a new wave of ransomware attacks (referred in the media by several\r\nnames, including Petya, Petrwrap, NotPetya and exPetr) spreading around the world, primarily targeting businesses in\r\nUkraine, Russia and Western Europe. If you were one of the unfortunate victims, this screen might look familiar:\r\nKaspersky Lab solutions successfully stop the attack through the System Watcher component. This technology protects\r\nagainst ransomware attacks by monitoring system changes and rolling back any potentially destructive actions.\r\nAt this time, our telemetry indicates more than 2,000 attacks:\r\nOur investigation is ongoing and our findings are far from final at this time. Despite rampant public speculation, the\r\nfollowing is what we can confirm from our independent analysis:\r\nHow does the ransomware spread?\r\nTo capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the\r\nlsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.\r\nOther observed infection vectors include:\r\nA modified EternalBlue exploit, also used by WannaCry.\r\nThe EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems\r\nover TCP port 445 (Note: patched with MS17-010).\r\nhttps://securelist.com/schroedingers-petya/78870/\r\nPage 1 of 4\n\nAn attack against the update mechanism of a third-party Ukrainian software product called MeDoc.\r\nIMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading\r\nthis infection to all the other computers through WMI or PSEXEC.\r\nWhat does the ransomware do?\r\nThe malware waits for 10-60 minutes after the infection to reboot the system. Reboot is scheduled using system facilities\r\nwith “at” or “schtasks” and “shutdown.exe” tools.\r\nOnce it reboots, it starts to encrypt the MFT table in NTFS partitions, overwriting the MBR with a customized loader with a\r\nransom note. More details on the ransom note below.\r\nNetwork survey\r\nThe malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current\r\nDHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445\r\nand 139. Those machines that have these ports open are then attacked with one of the methods described above.\r\nResources 1 and 2 of malware binary contain two versions of a standalone tool (32-bit and 64-bit) that tries to extract logins\r\nand passwords of logged on users. The tool is run by the main binary. All extracted data is transferred back to the main\r\nmodule via a named pipe with a random GUID-like name.\r\nFile Decryption\r\nAre there any hopes of decrypting files for victims already infected? Unfortunately, the ransomware uses a standard, solid\r\nencryption scheme so this appears unlikely unless a subtle implementation mistake has been made. The following specifics\r\napply to the encryption mechanism:\r\nFor all files, one AES-128 key is generated.\r\nThis AES key is encrypted with threat actors’ public RSA-2048 key.\r\nEncrypted AES keys are saved to a README file.\r\nKeys are securely generated.\r\nThe criminals behind this attack are asking for $300 in Bitcoins to deliver the key that decrypts the ransomed data, payable\r\nto a unified Bitcoin account. Unlike Wannacry, this technique would work because the attackers are asking the victims to\r\nsend their wallet numbers by e-mail to “wowsmith123456@posteo.net”, thus confirming the transactions. We have seen\r\nreports this email account has already been shut down, effectively making the full chain decryption for existing victims\r\nimpossible at this time.\r\nAt the time of writing, the Bitcoin wallet has accrued 24 transactions totalling 2.54 BTC or just under $6,000 USD.\r\nHere’s our shortlist of recommendations on how to survive ransomware attacks:\r\nRun a robust anti-malware suite with embedded anti-ransomware protection such as System Watcher from Kaspersky\r\nInternet Security.\r\nhttps://securelist.com/schroedingers-petya/78870/\r\nPage 2 of 4\n\nMake sure you update Microsoft Windows and all third party software. It’s crucial to apply the MS17-010 bulletin\r\nimmediately.\r\nDo not run open attachments from untrusted sources.\r\nBackup sensitive data to external storage and keep it offline.\r\nKaspersky Lab corporate customers are also advised to:\r\nCheck that all protection mechanisms are activated as recommended; and that KSN and System Watcher components\r\n(which are enabled by default) are not disabled.\r\nAs an additional measure for corporate customers is to use Application Privilege Control to deny any access (and\r\nthus possibility of interaction or execution) for all the groups of applications to the file with the name “perfc.dat” and\r\nPSexec utility (part of the Sysinternals Suite)\r\nYou can alternatively use Application Startup Control component of Kaspersky Endpoint Security to block the\r\nexecution of the PSExec utility (part of the Sysinternals Suite), but please use Application Privilege Control in order\r\nto block the “perfc.dat”.\r\nConfigure and enable the Default Deny mode of the Application Startup Control component of Kaspersky Endpoint\r\nSecurity to ensure and enforce the proactive defense against this, and other attacks.\r\nFor sysadmins, our products detect the samples used in the attack by these verdicts:\r\nUDS:DangerousObject.Multi.Generic\r\nTrojan-Ransom.Win32.ExPetr.a\r\nHEUR:Trojan-Ransom.Win32.ExPetr.gen\r\nOur behavior detection engine SystemWatcher detects the threat as:\r\nPDM:Trojan.Win32.Generic\r\nPDM:Exploit.Win32.Generic\r\nIOCs\r\n0df7179693755b810403a972f4466afb\r\n42b2ff216d14c2c8387c8eabfb1ab7d0\r\n71b6a493388e7d0b40c83ce903bc6b04\r\ne285b6ce047015943e685e6638bd837e\r\ne595c02185d8e12be347915865270cca\r\nYara rules\r\nDownload Yara rule expetr.yara as a ZIP archive.\r\nrule ransomware_exPetr {\r\nmeta:\r\ncopyright = “Kaspersky Lab”\r\ndescription = “Rule to detect PetrWrap ransomware samples”\r\nlast_modified = “2017-06-27”\r\nauthor = “Kaspersky Lab”\r\nhash = “71B6A493388E7D0B40C83CE903BC6B04”\r\nversion = “1.0”\r\nstrings:\r\n$a1 =\r\n“MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iD\r\nfullword wide\r\n$a2 =\r\n“.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.ph\r\nfullword wide\r\n$a3 = “DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED” fullword\r\nascii\r\n$a4 = “1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX” fullword ascii\r\n$a5 = “wowsmith123456@posteo.net.” fullword wide\r\nhttps://securelist.com/schroedingers-petya/78870/\r\nPage 3 of 4\n\ncondition:\r\n(uint16(0) == 0x5A4D) and\r\n(filesize\u003c1000000) and\r\n(any of them)\r\n}\r\nSource: https://securelist.com/schroedingers-petya/78870/\r\nhttps://securelist.com/schroedingers-petya/78870/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://securelist.com/schroedingers-petya/78870/"
	],
	"report_names": [
		"78870"
	],
	"threat_actors": [],
	"ts_created_at": 1775434399,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0d113fcd85711233e2b30c9d683a233cb2215c75.pdf",
		"text": "https://archive.orkl.eu/0d113fcd85711233e2b30c9d683a233cb2215c75.txt",
		"img": "https://archive.orkl.eu/0d113fcd85711233e2b30c9d683a233cb2215c75.jpg"
	}
}